|
|
|
- by Claudiu Popa From time to time, I find myself sucked into discussions about the return on investment of security. The discussion goes something like this: from a business perspective, if security is an expense and I can choose to incur it or not, why should I? I seem to have done just fine until today. Then, a more enlightened issue comes up: if I understand the risk and I am willing to take it, that means I have the choice of spending money on prevention or remediation. Why not wait until something happens and then… we’ll call you. That just about describes the biggest misconception in business today. A possible analogy that also gives my audience ample opportunity to disagree goes like this: if I have to cross the highway on foot every day to buy milk (picture Eddie Murphy in Bowfinger, running across the highway in tears) and I have managed to do it successfully for seven days in a row, why not keep doing in until I get hit and then I'll deal with it depending on how badly I'm injured? Who knows, maybe it won't hurt that badly anyway! Imagine the savings. I mention this particular issue because I find, based on industry statistics, the lack of awareness to be absolutely staggering. Businesses from the 'micro' level to multinationals equally ignore a risk that changes every day. This risk created worldwide losses of $US55 billion last year due to viruses alone. I say this because manual attacks perpetrated by humans instead of software alone are much more damaging. Hackers, thieves, identity theft, wireless breaches, insider crime, and downtime start as crimes of opportunity or revenge. They affect organizations like many that you can probably think of with no budget for this sort of thing, and without a security strategy that can be explained with a straight face. The fact is, insurance is a part of doing business and it does serve a purpose: to provide financial compensation for losses incurred as a result of an unlikely disaster. While there exist obscure cyber-security insurance policies, they are not a solution any more than say... a financial settlement after you've lost the use of your limbs in an 'accident.' In the case of remediation efforts and incident management, a recent survey shows that the cost of fixing a breach or a loss after it's happened can be about ten times higher than the cost of planning for it and anticipating it. Prevention is the only way to protect the intangible information assets of a business, the soft, squishy stuff that accounts for up to 80% of its value (Wleugel, Dowdall, Grange 2003). Prevention means building information security into your business processes, aligning your policies with those of your suppliers, hardening your systems, and educating staff. Yes, education! Stop worrying about signing up for the latest Web-based tutorial on how to extract another 5% use out of Microsoft Word. Print a tutorial leaflet and let your staff read that before going to bed. Instead, management needs to worry about the fact that their frontline workers are unprepared for any situation that threatens a company's assets. Hey, if it doesn't show up in financial statements, it's not happening, right? Well, guess what? According to a recent FTSE350 survey of public companies, 50% of them don't think security has anything to do with share price and public perception. Unfortunately for them, 83% of investors do think so and a quarter of them would immediately take their business elsewhere. Even more outrageous, 71% of executives think that security - the security of their business assets - is the responsibility of their IT staff. Again, 87% of investors say they will hold executives personally accountable. Under new legislation, in fact, they'll also get 20 years in jail to ponder the situation and understand how that liability stuff works. A good information technology professional will advise management and business owners to adopt proper risk management. In fact, I published a press release this week to that effect. Hundreds of media outlets have seen it. Will it have an impact? I hope so. Now about my point, which is that, in fact, there is a substantial return on investment from security. Obviously, this is something that costs money, just like rent, computers, training, etc. However, unlike those things, clients care about the degree to which a business protects their valuables. Between two competitors, the one that would be more likely to gain my trust is the one that impresses me with its safeguards, compliance, and general security awareness. That's generally how we all pick a 'good' mechanic. Let's face it, the difference between a good mechanic and a bad one is how they treat your car and how they take care of you. Just like customer service, security safeguards represent an aspect of business that can and often does close a sale. In addition to that, security preparedness makes money by avoiding losses, liability, retrofitting, emergency incidents and productivity losses. I'm talking about the difference between spending $100 on protection/prevention or $1000 on hasty repairs in the very best case scenario. With proper risk management, a business can increase security without increasing spending, streamline processes, and extract valuable incremental productivity. So if you ask me whether security makes you money, my answer is yes. Absolutely. The more valuable the business, the more money you keep by not waiting to lose it first. For more biased commentary, tune in next week. Claudiu Popa is an executive security advisor. A
previous contributor to Lockergnome, Claudiu publishes The PULSE,
a quasi-monthly e-mail newsletter. As president of Informatica Corporation
in Toronto, he spends most of his time forcing security awareness
on unsuspecting employees, managers and business owners who would
rather do something else.
-30- |
